[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 1/2] xenstore: sanity check incoming message body lengths

To: Matthew Daley <mattd@xxxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Mon, 2 Dec 2013 11:33:00 +0000
Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
Delivery-date: Mon, 02 Dec 2013 11:33:49 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Matthew Daley writes ("[PATCH 1/2] xenstore: sanity check incoming message body 
lengths"):
> This is for the client-side receiving messages from xenstored, so there
> is no security impact, unlike XSA-72.
...
> +     /* Sanity check message body length. */
> +     if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
> +             saved_errno = E2BIG;
> +             goto error_freemsg;
> +     }

If this situation should arise, your proposal would discard the
headers of the bogus message and read the start of what would be the
over-long payload as the next header.

Unfortunately, it looks like the existing code already does exactly
this if it experiences a malloc failure !

It would be best to either kill the connection dead, or perhaps to
skip the overlong data.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 1/2] xenstore: sanity check incoming message body lengths
  - From: Matthew Daley

Prev by Date: Re: [Xen-devel] [PATCH] Re: I/O port access handling for PVH
Next by Date: [Xen-devel] [PATCH 2/2 v2] xenstore: check F_SETFL fcntl invocation in setnonblock
Previous by thread: Re: [Xen-devel] [PATCH] Re: I/O port access handling for PVH
Next by thread: Re: [Xen-devel] [PATCH 1/2] xenstore: sanity check incoming message body lengths
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.